feat(firewall): basic per-VM firewall rules (#36)#147
Merged
Conversation
Add user-configurable per-VM firewall rules applied on top of the
always-enforced ipfilter anti-spoof rules. Default policy stays allow-all.
- DB: vm_firewall_rule table + migration; firewall_rule_limit on templates;
VmFirewallRule model + enums; LNVpsDbBase CRUD methods (mysql + mock)
- API: GET/POST/PATCH/DELETE /api/v1/vm/{id}/firewall with ownership,
per-VM rule limit (default 20), and CIDR/port validation
- Re-apply: WorkJob::ApplyVmFirewall + worker handler; FullVmInfo loads rules
- Proxmox: translate DB rules to PVE firewall rules and sync (delete stale
lnvps-fw-tagged rules, re-add current set), preserving the ipfilter rule
- Docs: API_CHANGELOG.md + API_DOCUMENTATION.md
nftables backend (#33) and use_nftables host flag (#34) remain out of scope.
v0l
commented
Jun 25, 2026
v0l
left a comment
v0l
left a comment
Contributor
Author
There was a problem hiding this comment.
We should also support REJECT action and vm level input/output policy instead of always being accept
Address PR #147 review: support a REJECT rule action alongside ACCEPT/DROP and a user-configurable per-VM inbound/outbound default policy (accept/drop/ reject), instead of always defaulting to accept. - DB: VmFirewallRuleAction::Reject; new VmFirewallPolicy enum; fw_policy_in/ fw_policy_out columns on vm; update_vm_firewall_policy CRUD (mysql + mock) - API: ApiFirewallAction::Reject, ApiFirewallPolicy + GET/PATCH /api/v1/vm/{id}/firewall/policy; queues ApplyVmFirewall on change - Proxmox: map Reject -> REJECT; per-VM policy overrides host default in patch_firewall - Docs: API_CHANGELOG.md + API_DOCUMENTATION.md; tests for enum round-trips, rule translation, policy CRUD
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements basic user-configurable per-VM firewall rules.
Fixes #36
What
User-defined ACCEPT/DROP firewall rules per VM, applied on top of the
always-enforced ipfilter (anti-spoof) protection. The default policy stays
allow-all inbound/outbound, so there is no behaviour change for existing VMs.
Changes
Data model (
lnvps_db)20260624123544_vm_firewall_rule.sql: newvm_firewall_ruletable +nullable
firewall_rule_limitonvm_template/vm_custom_templateVmFirewallRulemodel +VmFirewallDirection/VmFirewallProtocol/VmFirewallRuleActionenumsLNVpsDbBaseCRUD methods (MySQL + MockDb impls)User API (
lnvps_api)GET/POST /api/v1/vm/{id}/firewallPATCH/DELETE /api/v1/vm/{id}/firewall/{rule_id}CIDR + port-range validation (ports 1–65535, start ≤ end)
Re-apply plumbing
WorkJob::ApplyVmFirewall { vm_id }+ worker handler; queued on every changeFullVmInfonow loadsfirewall_rulesProxmox backend
to_pve_firewall_ruletranslates DB rules → PVE firewall rules (tagged with alnvps-fw:{id}comment)patch_firewallsyncs: deletes stale tagged rules (by position, descending)then re-adds the current set in reverse priority order, always preserving the
ipfilter anti-spoof rule
delete_vm_firewall_ruleAPI client methodDocs:
API_CHANGELOG.md+API_DOCUMENTATION.md(OpenAPI auto-generated).Out of scope
nftables backend (#33) and the
use_nftableshost flag (#34) — libvirt'spatch_firewallremains a stub until then.Testing
ApiVmFirewallRule::from, mock DBCRUD, Proxmox rule translation
cargo test --workspace --exclude lnvps_e2e -- --test-threads=1greencargo fmtclean; builds with--features openapi